b"July 2006\nReport No. 06-015\n\n\nFDIC\xe2\x80\x99s Oversight of Technology\nService Providers\n\n\n\n\n             AUDIT REPORT\n\x0c                                                                                            Report No. 06-015\n                                                                                                    July 2006\n\n                                     FDIC\xe2\x80\x99s Oversight of Technology Service Providers\n\n                                     Results of Audit\n\n                                     The FDIC actively supported the FFIEC through examinations of\nBackground and Purpose               numerous high-priority TSPs and has acted to strengthen its Information\nof Audit                             Technology (IT) Risk Management Program and coverage of TSPs.\n                                     However, the FDIC\xe2\x80\x99s oversight process used for identifying, monitoring,\nUnder the Bank Service               and prioritizing TSPs for examination coverage needs improvement. The\nCompany Act (BSCA), the              FDIC does not have a current, accurate, and complete inventory of TSPs\nFDIC and other federal financial\n                                     that are used by FDIC-supervised institutions and have access to sensitive\nregulators have statutory\nauthority to regulate and            customer information. The FDIC has taken action to address known\nexamine the services a               weaknesses related to the TSP inventory, but additional attention is\ntechnology service provider          needed, particularly for TSPs that process sensitive customer\n(TSP) performs for FDIC-             information. Additionally, our evaluation of TSP data in ViSION found\ninsured financial institutions.      that the Division of Supervision and Consumer Protection (DSC) had not\n                                     implemented adequate controls to obtain and maintain TSP data. As a\nAccording to the Federal\n                                     result, the FDIC\xe2\x80\x99s ability to identify and monitor TSPs; assess risk,\nFinancial Institutions\nExamination Council (FFIEC)          including risk related to sensitive customer information; and prioritize\nOutsourcing Technology               use of examination resources for financial institutions and TSPs is\nServices Handbook, TSP               limited.\nrelationships should be subject\nto the same risk management,         Also, the FDIC could improve its participation in the TSP risk-based\nsecurity, privacy, and other         supervisory process used by the federal banking agencies. The FDIC was\ninternal controls and policies       not always obtaining and completing Examination Priority Ranking Sheet\nthat would be expected if the        (EPRS) information, which is used in scheduling and prioritizing TSP\nfinancial institution were\nconducting the activities\n                                     examinations in accordance with FFIEC guidance. In addition, FFIEC\ndirectly.                            guidance on ranking TSPs as part of the EPRS process did not address\n                                     consideration of the TSPs\xe2\x80\x99 processing of sensitive customer information.\nThe overall objective for our        As a result, FFIEC decisions and FDIC input into those decisions on the\nseries of audits of the FDIC\xe2\x80\x99s       risks posed by TSPs and the frequency and extent of TSP examinations\noversight of TSPs is to assess the   could lack sufficient support.\nFDIC\xe2\x80\x99s examination coverage of\nTSPs and related efforts to          Recommendations and Management Response\nprotect sensitive customer\ninformation. For this audit, we\n                                     The report makes six recommendations to help the FDIC: (1) better\nassessed the FDIC\xe2\x80\x99s oversight\nprocess for identifying and          identify and monitor TSPs with access to sensitive customer information\nmonitoring TSPs used by FDIC-        and (2) improve the process the FDIC uses (in conjunction with the other\nsupervised institutions and for      FFIEC agencies) for assessing the risks posed by, and prioritizing for\nprioritizing examination             examination, those TSPs with access to sensitive customer information.\ncoverage of TSPs. We also\nreviewed the extent to which         FDIC management generally agreed with our recommendations. The\nTSP information was being\n                                     FDIC will take steps to improve its TSP inventory and sharing of TSP\ncaptured in the FDIC\xe2\x80\x99s Virtual\nSupervisory Information On the       information with the other federal banking agencies, enhance controls\nNet system (ViSION).                 over BSCA notifications, increase data reliability, and work with the\n                                     FFIEC IT Subcommittee regarding including in the new risk-based\n_______________________              examination priority ranking program those TSPs processing sensitive\nTo view the full report, go to\nwww.fdicig.gov/2006reports.asp       customer information.\n\x0c                             TABLE OF CONTENTS\n\n\nBACKGROUND                                                 1\n\nRESULTS OF AUDIT                                           4\n\nFINDINGS AND RECOMMENDATIONS                               5\n\nFINDING A: Inventory of TSPs                              5\n  BSCA Institution Guidance                               5\n  BSCA-Related Examination Guidance and Data Validation   6\n  Obtaining and Maintaining IT Examination Data on TSPs   6\n  Recommendations                                         9\n\nFINDING B: Obtaining and Completing EPRS Information      10\n  The EPRS Process                                        10\n  Obtaining and Completing EPRS Information               11\n  FDIC Guidance on the EPRS Process                       12\n  Recommendations                                         12\n\nCORPORATION COMMENTS AND OIG EVALUATION                   13\n\nAPPENDIX I:     OBJECTIVE, SCOPE, AND METHODOLOGY         14\n\nAPPENDIX II:    LAWS, REGULATIONS, AND GUIDANCE           16\n                PERTAINING TO DATA SECURITY AT FDIC-\n                INSURED INSTITUTIONS AND RELATED\n                PRIVACY REQUIREMENTS\n\nAPPENDIX III:   SUMMARY OF FINANCIAL INSTITUTION          20\n                AND TSP-RELATED DATA SECURITY\n                BREACHES REPORTED IN 2005\n\nAPPENDIX IV:    CORPORATION COMMENTS                      21\n\nAPPENDIX V:     MANAGEMENT RESPONSE TO                    29\n                RECOMMENDATIONS\n\x0cFederal Deposit Insurance Corporation                                                                      Office of Audits\n3501 Fairfax Drive, Arlington, VA 22226                                                       Office of Inspector General\n\n\n\nDATE:                                     July 20, 2006\n\nMEMORANDUM TO:                            Sandra L. Thompson, Acting Director\n                                          Division of Supervision and Consumer Protection\n\n\n\nFROM:                                     Russell A. Rau [Electronically produced version; original signed by Russell A. Rau]\n                                          Assistant Inspector General for Audits\n\nSUBJECT:                                  FDIC\xe2\x80\x99s Oversight of Technology Service Providers\n                                          (Report No. 06-015)\n\n\nThis report presents the results of the first in a series of audits of the FDIC\xe2\x80\x99s oversight of\ntechnology service providers (TSP).1 We initiated this audit in response to reported data security\nbreaches in 2005 involving sensitive customer information2 maintained by financial institutions\nand, in some cases, TSPs (see Appendix III). The overall objective for our series of audits on\nTSPs is to assess the FDIC\xe2\x80\x99s examination coverage of TSPs and related efforts to protect\nsensitive customer information. For this audit, we assessed the FDIC\xe2\x80\x99s oversight process for\nidentifying and monitoring TSPs used by FDIC-supervised institutions and for prioritizing\nexamination coverage. Appendix I of this report details our objective, scope, and methodology.\n\nBACKGROUND\n\nUnder the Bank Service Company Act (BSCA),3 the FDIC and other federal financial regulators\nhave statutory authority to regulate and examine the services performed by third parties, such as\nTSPs for FDIC-insured financial institutions. The FDIC\xe2\x80\x99s Division of Supervision and\nConsumer Protection (DSC) has designated two categories of information technology (IT)\nexaminations for providing examination coverage of TSPs. For TSPs that are owned or\ncontrolled by, or otherwise affiliated with, an FDIC-supervised financial institution, examination\ncoverage is provided through DSC\xe2\x80\x99s IT examination of the institution. The IT examination is\ngenerally conducted in coordination with safety and soundness examinations. For examinations\n\n\n1\n  According to Interagency Guidelines Establishing Information Security Standards (Appendix B to Part 364 of the\nFDIC Rules and Regulations), service provider\xe2\x80\x94\xe2\x80\x9cmeans any person or entity that maintains, processes, or otherwise\nis permitted access to customer information through its provision of services directly to the bank.\xe2\x80\x9d\n2\n  Sensitive customer information is defined by Appendix B to Part 364 of the FDIC Rules and Regulations as a\ncustomer\xe2\x80\x99s social security number, personal identification number, password, or account number, in conjunction\nwith a personal identifier such as the customer\xe2\x80\x99s name, address, or telephone number. Such information would also\ninclude any combination of components of customer information that would allow someone to log onto or access\nanother person\xe2\x80\x99s account, such as a user name and password.\n3\n  Codified to 12 U.S.C. 1867. Section 7(c) of the BSCA requires FDIC-insured financial institutions to notify the\nappropriate federal regulator of the existence of a third-party relationship within 30 days after contracting with, or\nthe performance of the service by, the third party, whichever occurs first.\n\x0cof TSPs designated as Independent Data Centers (IDCs),4 DSC policy directs the use of guidance\nissued by the FDIC and the other federal banking agencies that are members of the Federal\nFinancial Institutions Examination Council (FFIEC).5 This guidance, which describes a risk-\nbased supervisory approach for IT examinations of TSPs, prioritizes the IDCs based on risk, with\nthe FFIEC considering those TSPs rated a higher risk for separate IT examinations (discussed\nbelow). The relationships with lower-risk TSPs can receive examination coverage through the\nreview of the financial institution\xe2\x80\x99s vendor management program. We did not assess\nexamination coverage of vendor management as part of this audit, but we are currently\nconducting an audit of that examination function.\n\nThe FFIEC IT examination handbook entitled, Supervision of Technology Service Providers\n(TSP Handbook), identifies four work products related to separate IT examinations of TSPs.\n\n    \xe2\x80\xa2    TSP Examination - The FFIEC agencies examine the higher-risk IDCs, as defined\n         earlier, to identify existing or potential risks that could adversely affect serviced financial\n         institutions. As of March 31, 2005 (the latest data available), there were approximately\n         130 of these TSPs subject to periodic examination, and the FDIC was the Agency-in-\n         Charge (AIC) for 88 of those TSPs.\n\n    \xe2\x80\xa2    Multi-Regional Data Processing Servicer (MDPS) Examination - A TSP is considered\n         for the MDPS program if it processes mission-critical applications, such as general ledger\n         or loan and deposit systems, for a large number of financial institutions with multiple\n         regulators or geographically dispersed data centers. For example, some MDPSs process\n         mission-critical applications for more than 1,000 financial institutions. FFIEC guidance\n         requires examinations of MDPSs every 2 years or less, depending on the level of\n         supervisory concern, because these entities pose a systemic risk to the banking system\n         should one or more have operational problems or fail. Prior to September 30th of each\n         year, the FFIEC Information Technology Subcommittee6 of the Task Force on\n         Supervision determines a schedule of MDPS examinations, which are performed jointly\n         by the agencies. As of March 31, 2005, 17 TSPs were in the MDPS program.\n\n    \xe2\x80\xa2    Shared Application Software Review (SASR) - A SASR is an interagency review of\n         software programs or systems used by numerous financial institutions. SASRs help to\n         reduce the time and resources needed to examine software and systems at individual\n         institutions.\n\n    \xe2\x80\xa2    Follow-Up Review - The purpose of this review is to: maintain communications with\n         TSPs between on-site examinations; identify significant changes in management,\n         products, services, or risk management practices affecting financial institutions; follow\n\n\n\n\n4\n  IDCs are defined by the FDIC as TSPs that are not owned or controlled by, or otherwise affiliated with, a financial\ninstitution.\n5\n  In addition to the FDIC, the FFIEC includes the Federal Reserve Board, National Credit Union Administration,\nOffice of the Comptroller of the Currency (OCC), and Office of Thrift Supervision (OTS).\n6\n  Representative IT examiners from the five FFIEC member agencies comprise this subcommittee.\n\n                                                      2\n\x0c        up on issues or concerns previously identified; and confirm business-line or service\n        provider risk designations and their examination priority in order to update supervisory\n        strategies.\n\nThe FFIEC has stated that the use of a TSP does not diminish the responsibility of the financial\ninstitution\xe2\x80\x99s board of directors and management to ensure that the activities performed by the\nTSP are conducted in a safe and sound manner and in compliance with applicable laws and\nregulations. According to the FFIEC Outsourcing Technology Services Handbook (Outsourcing\nHandbook), TSP relationships should be subject to the same risk management, security, privacy,\nand other internal controls and policies that would be expected if the financial institution were\nconducting the activities directly. According to the Outsourcing Handbook, written contracts are\nrequired for all outsourced servicing arrangements, including those with financial institution\naffiliates.\n\nSection 501 of the Gramm-Leach-Bliley Act (GLBA)7 requires the federal banking agencies to\nestablish appropriate standards for financial institutions subject to their supervision in order to\nprotect the security and confidentiality of customer information. The Act generally prohibits any\nfinancial institution from disclosing information to nonaffiliated third parties without notice to,\nand an opportunity for, the customer to opt out. The Act also provides an exception for\nnonaffiliated third parties, such as TSPs, that perform services for or functions on behalf of the\nfinancial institution. In response to the GLBA, the federal banking agencies issued Interagency\nGuidelines Establishing Information Security Standards, found at Appendix B of Part 364 of the\nFDIC Rules and Regulations. These guidelines require a financial institution to have a\ncomprehensive information security program that includes safeguards appropriate to the size and\ncomplexity of the institution and nature and scope of its activities. Under these guidelines, banks\nmust (1) require their TSPs, by contract, to implement appropriate measures to meet the\nobjectives of the guidelines related to protecting against unauthorized access to or use of\nsensitive customer information and (2) monitor contract compliance by the TSPs, where\nwarranted, according to the institution\xe2\x80\x99s assessment of risk.\n\nThe FFIEC\xe2\x80\x99s TSP Handbook identifies the risks associated with maintaining the confidentiality\nand integrity of information. For example, the TSP Handbook discusses the reputational risk\nassociated with errors, delays, or omissions in information technology that become public\nknowledge or directly affect customers and the compliance risk associated with the unauthorized\ndisclosure of customer information that could expose institutions to civil money penalties or\nlitigation. To capture information on these and other risks, the TSP Handbook recommends the\nuse of an Examination Priority Ranking Sheet (EPRS) for those TSPs subject to separate IT\nexaminations. The FFIEC agencies use this information to determine supervisory priorities\nbased on the TSP's business line risks, client base, and adequacy of internal control and risk\nmanagement practices.\n\nDSC uses the Virtual Supervisory Information On the Net (ViSION) system to provide\nautomated support for many aspects of bank supervision, including application tracking, case\nmanagement, safety and soundness examination, information technology examination, offsite\n\n7\n  See Appendix II for a summary of laws, regulations, and guidance pertaining to data security at FDIC-insured\ninstitutions and related privacy requirements.\n\n                                                     3\n\x0cmonitoring, large bank analysis, management reporting, workload management and processing,\nand security. ViSION is used to capture information on examinations of financial institutions\nand their TSPs, including technology profiles and related risk data.\n\nRESULTS OF AUDIT\n\nThe FDIC actively supported the FFIEC through examinations of numerous high-priority TSPs\nand has acted to strengthen its IT Risk Management Program and coverage of TSPs. However,\nthe FDIC\xe2\x80\x99s oversight process for identifying and monitoring TSPs used by FDIC-supervised\ninstitutions and prioritizing TSP examination coverage needs improvement.\n\nThe FDIC does not have a current, accurate, and complete inventory of TSPs that are used by\nFDIC-supervised institutions and have access to sensitive customer information. The FDIC has\ntaken action to address known weaknesses related to the TSP inventory, but additional attention\nis needed, particularly for TSPs that process sensitive customer information. Additionally, our\nevaluation of TSP data in ViSION found that DSC had not implemented adequate controls to\nobtain and maintain TSP data. As a result, the FDIC\xe2\x80\x99s ability to identify and monitor TSPs;\nassess risk, including risk related to sensitive customer information; and prioritize use of\nexamination resources for financial institutions and TSPs is limited (Finding A).\n\nThe FDIC also could improve its participation in the TSP risk-based supervisory process used by\nthe federal banking agencies. The FDIC was not always obtaining and completing EPRS\ninformation used in scheduling and prioritizing TSP examinations in accordance with FFIEC\nguidance. In addition, FFIEC guidance on ranking TSPs as part of the EPRS process did not\naddress consideration of the TSPs\xe2\x80\x99 processing of sensitive customer information. As a result,\nFFIEC decisions and FDIC input into those decisions on the risks posed by TSPs and the\nfrequency and extent of TSP examinations could lack sufficient support (Finding B).\n\n\n\n\n                                            4\n\x0cFINDINGS AND RECOMMENDATIONS\n\nFinding A: Inventory of TSPs\n\nDSC does not have a current, accurate, and complete inventory of TSPs that are used by FDIC-\nsupervised institutions and have access to sensitive customer information. Instead, the inventory\nis largely limited to those TSPs that are subject to separate examinations under FFIEC\nguidelines. In addition, TSP-related data, including data related to TSP processing of sensitive\ncustomer information, needed to perform thorough risk assessments and make fully informed\ndecisions on examination priorities is not readily available for use in support of the TSP\nexamination process. The primary causes of this condition are (1) outdated guidance to\ninstitutions on BSCA compliance, (2) no formal requirement for examiners to assess the\nadequacy of institution compliance with BSCA notification requirements, and (3) weaknesses in\ncontrols for obtaining and maintaining TSP data in the ViSION system from both BSCA\nnotifications and IT examinations. As a result, the FDIC\xe2\x80\x99s ability to identify and monitor TSPs;\nassess risk, including as it relates to sensitive customer information; and prioritize use of\nexamination resources for financial institutions and TSPs is limited.\n\nBSCA Institution Guidance. The FDIC has not established adequate internal controls to ensure\nthat information on all TSP relationships is obtained. Specifically, in June 1999, the FDIC\nissued a Financial Institution Letter (FIL-49-99, Required Notification for Compliance with the\nBank Service Company Act) reminding institutions of applicable BSCA notification\nrequirements. The FIL further noted that some institutions were neglecting to file the required\nBSCA notices. The FIL contained an optional notification form that could be used by\ninstitutions in reporting covered contracts and relationships. The FIL used language from the\nBSCA to identify the types of services covered by the Act, but offered little clarification as to\nhow that language should be interpreted and applied to contracts and other relationships for more\nrecently implemented technology-related services. No other FILs addressing BSCA compliance\nhave been issued to institutions since 1999, despite advances in technology-related services and\nincreased use of TSPs by institutions. The BSCA was enacted on October 23, 1962, and the\ndefinition of services in Section 3 of the Act predates certain activities currently performed by\nTSPs, such as those related to Internet banking. As discussed below, inconsistent reporting of\nTSP relationships could result from varying interpretations of the BSCA notification\nrequirement. Also, there is no requirement in the FIL or under the BSCA for a bank to notify the\nFDIC when a third-party service relationship is terminated. However, additional guidance to\nbanks, including a requirement to notify the FDIC when a TSP relationship is terminated, would\nhelp provide necessary control for routine or consistent BSCA notifications to the FDIC that\nwould support maintenance of a current, accurate, and complete TSP inventory.\n\nFurther, there are indications that financial institutions may be continuing to enter into BSCA-\ncovered relationships with TSPs without providing required notices to the FDIC. For example,\none TSP we identified performed credit card processing for five institutions supervised by the\nFDIC. In accordance with the BSCA, these five institutions should have filed BSCA\nnotifications with the FDIC, describing, among other things, the services performed by the TSP.\nHowever, DSC could not locate copies of the BSCA notifications for four of the five institutions.\nAccording to DSC officials in San Francisco, some confusion exists among banks regarding the\nscope and applicability of the BSCA, and banks are not always notifying the FDIC of their third-\n\n                                             5\n\x0cparty service relationships. Based on our interviews with DSC officials, no additional\ninformation pertaining to the BSCA notifications has been issued to banks since the 1999 FIL.\n\nWhile updating and reissuing the 1999 FIL would help in addressing the concerns noted in this\nreport, the FDIC should consider regulatory and other options, together with the other federal\nbanking agencies, in order to ensure that BSCA notifications and the TSP inventory are current,\naccurate, and complete. In addition to providing notification of new contracts or service\nagreements with TSPs, such options could include uniform reporting on all TSP relationships\nusing standard data elements for BSCA notifications, processing of sensitive customer\ninformation, information on third-party reviews and other oversight of TSPs,8 publicly available\ninformation such as financial statements of the TSP,9 and identification and notification of\nterminated TSP relationships.\n\nBSCA-Related Examination Guidance and Data Validation. Current guidance issued to DSC\nexaminers on assessing the adequacy of institution compliance with BSCA notification\nrequirements is insufficient. Under DSC\xe2\x80\x99s former Information Technology General Work\nProgram, issued in April 2004, examiners were required to determine whether the financial\ninstitution had filed notifications on TSP relationships with the appropriate regulator, as required\nby the BSCA, for services outsourced since the previous examination. However, this guidance\nwas superseded in August 2005 by IT examination guidance on the FDIC\xe2\x80\x99s Information\nTechnology \xe2\x80\x93 Risk Management Program (IT-RMP). This IT examination guidance does not\nrequire examiners to determine a bank\xe2\x80\x99s compliance with the BSCA notification requirements.\nAlso, the current guidance does not require examiners to validate TSP information in the\nViSION IT Examination Module, which serves as the TSP inventory and tracking system. Such\nvalidation should include use of both the BSCA notifications and IT examination information\nrelated to TSPs, as discussed below. Examination coverage of compliance with BSCA\nnotification requirements and validation of the TSP data maintained by DSC in ViSION are\ncritical to ensuring that the FDIC has a current, accurate, and complete TSP inventory; TSP data\nare reliable; and all TSP relationships are properly considered in the supervisory process.\n\nObtaining and Maintaining IT Examination Data on TSPs. Our evaluation of TSP data in\nViSION found that DSC had not implemented adequate controls to obtain and maintain TSP\ndata. Specifically, we found numerous problems with the integrity of data relating to TSPs,\nincluding duplication, incomplete data fields, and listings of TSP relationships that are no longer\nactive. Further, we noted that ViSION\xe2\x80\x99s ability to perform information queries is limited. For\nexample, ViSION does not have the capability of listing banks serviced by a particular TSP or all\nthe TSPs that are providing services to a particular financial institution. These issues reduce the\nusefulness of ViSION as a management tool for identifying and monitoring potential risks\npresented by TSPs and for prioritizing examination coverage.\n\n\n8\n  Part 364 of the FDIC Rules and Regulations discusses financial institution oversight of service provider\nrelationships, including monitoring audits and other reviews of TSPs. This oversight is intended to help ensure that\ninstitutions and their service providers are meeting the Interagency Guidelines Establishing Information Security\nStandards, which require an appropriate information security program to be in place to protect customer\ninformation.\n9\n  In an article in the (summer 2005) FDIC Supervisory Insights, the FDIC noted the benefits of the review and\nanalysis of public information in developing the Corporation\xe2\x80\x99s supervisory response to potential risks at TSPs.\n\n                                                      6\n\x0cAs part of the IT examination process established in IT-RMP, examiners are required to\ncomplete a Technology Profile Script (Profile Script) on each financial institution and to obtain\nfrom the institution an Officer\xe2\x80\x99s Questionnaire to help identify risks posed by the institution\xe2\x80\x99s IT\nprogram, including risks posed by TSPs. The Profile Script is designed to be a basic\nmeasurement of the complexity and potential risk of the technology deployed at a financial\ninstitution. The Profile Script is not designed to identify all TSPs used by the institution.\nBecause of the focus on institution risk, the Profile Script requires only limited information, such\nas the TSP name, for those TSPs processing core banking applications and providing Web site\nhosting and transactional E-Banking. TSPs used by institutions to perform other functions, such\nas credit card and mortgage processing, are not addressed in the Profile Script. Additionally, the\nProfile Script does not assign a priority to TSPs that process sensitive customer information or\notherwise require collection of this data. As a result, the Profile Script is not a source of\ncomplete information on TSPs providing services to a particular financial institution or\nprocessing sensitive customer information. According to DSC officials, the primary focus of the\nProfile Script is to determine the level of expertise needed to examine the institution. We also\nnoted that the Officer\xe2\x80\x99s Questionnaire requests information about the institution\xe2\x80\x99s IT program\nwith a focus on information security but does not request information on all TSPs servicing the\ninstitution or on TSPs that process sensitive customer information.\n\nAfter completing an IT examination of a financial institution, examiners are required to complete\nan IT ViSION database for each type of system or platform10 maintained by or for the financial\ninstitution. An IT template is the source of TSP data for ViSION. However, the template does\nnot provide for capturing information on all TSPs, only those considered a higher risk by the\nexaminer-in-charge of the examination. As a result, ViSION contains limited information to\nhelp the FDIC assess the risks related to the security of sensitive customer information at TSPs.\n\nWe performed an initial query of TSP information in ViSION and found over 10,000 records,\nmany of which were duplicate records or contained outdated information. DSC informed us that\nthe information was not accurate and provided us with a revised database reflecting\napproximately 800 TSP records. DSC officials informed us that when the conversion from the\nlegacy system11 to ViSION occurred in 2005, some of the TSP information was lost and errors\nwere introduced. According to DSC officials, it will take some time to ensure that the ViSION\ndatabase contains all the appropriate technology profiles of financial institutions and TSPs.\nViSION is the primary source for completing the Profile Script used in pre-examination\nplanning. Therefore, the completeness and reliability of the data is critical to upcoming\nexaminations that can include TSP coverage.\n\nWe also found that ViSION has limited reporting capabilities for TSPs. Although reports of\nTSPs can be retrieved, queries of this information are limited. For example, due to a system\nglitch and incomplete data, queries cannot be performed on a specific TSP and the services it\n\n\n\n\n10\n   A \xe2\x80\x9cplatform\xe2\x80\x9d describes some sort of framework, either in hardware or software, that allows software to run.\nTypical platforms include a computer's architecture, operating system, or programming languages and their runtime\nlibraries.\n11\n   The Banking Information Tracking System was previously used by DSC to track financial institution information.\n\n                                                    7\n\x0cprovides to financial institutions. Therefore, DSC did not use ViSION to monitor or prioritize\nTSPs for examination coverage. Further, DSC information received through BSCA notifications\nwas not entered into ViSION.\n\nFinally, DSC is maintaining a separate tracking system for BSCA notifications. As previously\nstated, the information from these notifications is not being entered into ViSION. Rather, since\nNovember 2004, DSC has required regional offices to send BSCA notices submitted by\ninstitutions to the DSC Technology Supervision Branch in Washington, D.C., where the\ninformation is entered into a separate \xe2\x80\x9cstand-alone\xe2\x80\x9d database that is not linked directly to\nViSION. DSC implemented this procedure to have a centralized system for tracking BSCA\nnotifications. As of December 2005, the Washington, D.C., database included information on\nBSCA notifications from about 400 of the more than 5,000 financial institutions that the FDIC\nsupervises. At present, DSC does not use this information as part of the examination process to\ndetermine the risks posed by individual TSPs to financial institutions. The justification for\nmaintaining two separate systems to track TSP data is not clear, especially given that the BSCA\ndatabase is not used for supervisory purposes. In our opinion, the oversight process for TSPs\nrequires the integration of information received through BSCA notifications and as a result of\nexaminations rather than the maintenance of separate systems that are not reliable or fully\nutilized.\n\nDSC has the responsibility for ensuring the reliability of data in ViSION and its other\ninformation systems. FDIC Circular 1301.3, Data Stewardship Program, establishes the\nobjectives of that program, including ensuring the usefulness, accuracy, timeliness, and\naccessibility of corporate data. The circular indicates that the FDIC\xe2\x80\x99s divisions and offices shall\nensure that data stewardship responsibilities are fulfilled, including those related to the reliability\nof data. For DSC, this responsibility should include maintaining a current, accurate, and\ncomplete inventory of TSPs used by financial institutions and related information in order to\nsuccessfully manage both safety and soundness risk and ensure the protection of sensitive\ncustomer information. For example, some of the key risk factors in determining risk associated\nwith a TSP are the size of its client base, aggregate assets affected, and transaction volume.\nWithout an accurate system to identify and monitor TSPs, including information on how many\ninstitutions a particular TSP services and which TSPs process sensitive customer information,\nthe risk assessment process that identifies TSPs for examination is limited.\n\n\n\n\n                                               8\n\x0cRECOMMENDATIONS\n\nWe recommend that the Director, DSC:\n\n   (1) Assess, in conjunction with the other federal banking agencies, regulatory and other\n       options for establishing and maintaining a current, accurate, and complete inventory of\n       TSP information through the use of BSCA notifications, examination results, and other\n       available data. Consideration should be given specifically to the content of BSCA\n       notifications, the initiation and termination of TSP relationships, third-party reviews and\n       other oversight of TSPs, and the processing of sensitive customer information.\n\n   (2) Revise IT examination guidance to address coverage of financial institution compliance\n       with BSCA notification requirements.\n\n   (3) Establish policy and procedures for updating ViSION with information from BSCA\n       notifications and the results of IT examinations, and discontinue use of a separate\n       database for tracking these notifications.\n\n   (4) Establish controls as part of DSC\xe2\x80\x99s implementation of the FDIC Data Stewardship\n       Program to ensure the reliability and usefulness of TSP data in ViSION. Consideration\n       should specifically be given to:\n\n      \xe2\x80\xa2   Modifying the Profile Script, Officer\xe2\x80\x99s Questionnaire, and IT ViSION Template to\n          identify all TSPs used by a financial institution and the relevant risk factors, including\n          those that process sensitive customer information.\n\n      \xe2\x80\xa2   Validating, as part of the supervisory process, TSP information in the ViSION IT\n          Examination Module.\n\n      \xe2\x80\xa2   Enhancing the ViSION report retrieval process to allow for the retrieval of\n          information by TSP, to include data on all financial institutions serviced, as well as by\n          institution, to include all TSPs used.\n\n\n\n\n                                             9\n\x0cFinding B: Obtaining and Completing EPRS Information\n\nThe FDIC\xe2\x80\x99s participation in the risk-based supervisory process of TSPs used by the federal\nbanking agencies could be improved. The FDIC was not always obtaining and completing EPRS\ninformation used in scheduling and prioritizing TSP examinations in accordance with FFIEC\nguidance. In addition, FDIC guidance does not address the agencies\xe2\x80\x99 consideration of the TSPs\xe2\x80\x99\nprocessing of sensitive customer information when ranking TSPs as part of the EPRS process.\nAs a result, FFIEC decisions and FDIC input into those decisions on the risks posed by TSPs and\nthe frequency and extent of TSP examinations could lack sufficient support.\n\nThe EPRS Process. To assist in scheduling and prioritizing TSP examinations, the FFIEC\nagencies use EPRSs. The EPRS assigns various supervisory priorities to TSPs based on the\nrelative risk of their business lines, client base, and overall controls and risk management\noversight. TSPs determined to be higher risk are subject to more frequent and extensive\nexaminations and reviews. The AIC, as designated by the FFIEC, is responsible for coordinating\nthe risk ranking of each TSP under its supervision. The TSP Handbook requires that at the\nconclusion of each TSP examination, the AIC is responsible, in part, for completing applicable\nsections of the EPRS for each TSP and then distributing the form for review and comment by\nother agencies. The risk-ranking factors are analyzed and discussed by the federal banking\nagencies comprising the FFIEC to determine future examination priority. The EPRS provides a\nframework for grouping TSPs into various supervisory priorities, based on the relative risk of\ntheir business lines, client base, and their overall controls and risk management.\n\nThe TSP Handbook provides for an interagency review process that distributes sections of the\ncompleted EPRSs and allows for agency agreement or disagreement to be communicated and\ndocumented. In particular, the TSP Handbook states that the AIC is responsible for the\nfollowing:\n\n   \xe2\x80\xa2   Distributing copies of the completed sections of the EPRS to the other FFIEC agencies.\n   \xe2\x80\xa2   Collecting agency agreements/disagreements and resolving any priority disagreements to\n       the extent possible.\n   \xe2\x80\xa2   Retaining all documentation supporting the priority designation and agency\n       agreement/disagreement.\n   \xe2\x80\xa2   Documenting the basis for the disagreement in the comment section of the EPRS when a\n       resolution cannot be reached.\n\nFurther, the TSP Handbook states that agency representatives receiving an EPRS from the AIC\nare responsible for:\n\n   \xe2\x80\xa2   Reviewing the completed sections of the EPRS.\n   \xe2\x80\xa2   Completing the Agency Agreement on Examination Priority section and providing\n       necessary comments, as applicable.\n   \xe2\x80\xa2   Returning the completed form to the AIC by the requested response date.\n   \xe2\x80\xa2   Retaining a copy for their records.\n\n\n\n\n                                            10\n\x0cObtaining and Completing EPRS Information. We reviewed the San Francisco Regional\nOffice\xe2\x80\x99s (SFRO) Service Provider Profile Manual, which contains information on 28 TSPs.12\nOur review showed the following:\n\n     \xe2\x80\xa2   The EPRSs were not completed as required at the conclusion of each TSP examination.\n         The EPRSs showing FDIC as the designated AIC had not been updated or reanalyzed\n         since July 2002, despite subsequent TSP examinations. The EPRSs for which the FDIC\n         was not the AIC were not always dated, which raised questions about current\n         applicability.\n\n     \xe2\x80\xa2   EPRSs were not always obtained from other regulatory agencies. In three out of six\n         instances for which the FDIC was not the AIC, an EPRS was not obtained from the other\n         regulatory agency. The only documentation retained, in two of these cases, was the\n         SFRO\xe2\x80\x99s own data and analysis.\n\n     \xe2\x80\xa2   For those TSPs for which the FDIC was not the AIC, the FDIC\xe2\x80\x99s concurrence was not\n         always annotated within the EPRSs, and no supporting documentation was maintained\n         justifying the FDIC\xe2\x80\x99s position or signifying that the FDIC had communicated its position\n         to the AIC.\n\nAlso, supporting documentation was not being maintained to signify interagency agreement or\ndisagreement and decisions on key sections of the EPRSs. For those TSPs for which the FDIC\nwas the AIC, interagency concurrence was annotated in the EPRSs. However, no supporting\ndocumentation (such as a letter, e-mail, or meeting minutes) was maintained that signified\ninteragency concurrence.\n\nWe noted that supervisory personnel are not required to identify the analytical basis used for\ncompleting the EPRS, such as results from an off-site analysis, other reviews, or a TSP\nexamination. We noted that in those areas where documentation guidelines exist, FDIC\npersonnel are not sufficiently documenting and/or supporting interagency concurrence. The\nEPPRs we reviewed did not note the source of the data used and analyzed, and oftentimes did not\nnote the date that the EPRS had been completed. Although some EPRSs did not indicate that a\nsupervisory review had occurred, regional office officials typically annotated when a supervisory\nreview had been completed for those TSPs for which the FDIC was the AIC.\n\nExaminers manually complete EPRSs and maintain them in various file folders at the regional\noffices. This manual process does not facilitate the sharing of information within the FDIC or\nwith the other federal banking agencies, data monitoring and analysis, or timely updates. An\nautomated EPRS process would be beneficial for updating EPRSs and for facilitating the\nregional office review and coordination processes with other federal banking agencies. A\n\n\n12\n  Of these 28 TSPs, 19 were listed in the SFRO TSP examination plan for 2004-2005. The FDIC was the AIC for 7\nof the 19 TSPs, another agency was the AIC for 6 TSPs, and joint examinations were conducted on 6 TSPs\ndesignated as MDPSs. For those seven TSPs for which the FDIC was the AIC, six TSPs (86 percent) had a\ncompleted EPRS. For the one TSP that had an incomplete EPRS, a note attached to the form indicated that no\nranking sheet was needed. However, no further explanation was provided, even though this TSP continues to be\nexamined.\n\n                                                  11\n\x0cmodification to automatically complete EPRSs in ViSION, which is already capturing some of\nthe information needed for an EPRS, may assist the FDIC in its supervision of TSPs.\n\nFDIC Guidance on the EPRS Process. The SFRO has implemented several practices that have\nenhanced its use of EPRSs and supervisory oversight for TSPs. In particular, the SFRO\ncompiled information sheets that documented and centralized supporting data on certain TSPs.\nThese sheets typically captured information on a TSP\xe2\x80\x99s ownership structure, system/software\nspecifications, examination history, customer asset size, and a customer listing. The SFRO also\nmaintained a service provider profile manual, which served as a central file for all completed\nEPRSs. Additionally, the SFRO performed and documented a review of those EPRSs.\nFurthermore, the SFRO maintains a TSP examination planning spreadsheet to facilitate\nexamination tracking and scheduling. These best practices on the part of the SFRO should be\nconsidered by the FDIC for implementation across DSC because they helped to ensure adequate\nsupport for the EPRS process.\n\nHowever, neither the SFRO nor the Atlanta Regional Office considered the processing of\nsensitive customer information a significant factor in completing an EPRS. The EPRS focuses\non client base, business lines, prior examination rating, effective external oversight,\ntechnological stability, and prior problems in deciding upon risk factors. Notwithstanding, the\nFDIC can and should ensure that the risks associated with processing sensitive customer\ninformation are factored into its recommendations to the FFIEC on the supervisory approach for\na particular TSP. The FDIC had not issued guidance as a supplement to the TSP Handbook\nregarding the consideration of processing sensitive customer information as a risk factor for the\nEPRS. As a result, decisions by the FFIEC and FDIC concerning the risks posed by TSPs and\nthe frequency and extent of TSP examinations could lack sufficient support.\n\nRECOMMENDATIONS\n\nWe recommend that the Director, DSC:\n\n   (5) Issue supplemental guidance to the TSP Handbook on the completion and sharing of\n       EPRSs among the federal banking agencies and the consideration of the TSPs\xe2\x80\x99\n       processing of sensitive customer information in assigning risk factors to the TSPs.\n\n   (6) Assess the merits of implementing an automated process, including the use of ViSION,\n       for collecting, storing, monitoring, and sharing EPRSs and other TSP-related information\n       with the other federal banking agencies comprising the FFIEC.\n\n\n\n\n                                             12\n\x0cCORPORATION COMMENTS AND OIG EVALUATION\n\nOn July 19, 2006, the Acting Director, DSC, provided a written response to a draft of this report.\nDSC\xe2\x80\x99s response is presented in its entirety as Appendix IV to this report. The Acting Director\nindicated that the FDIC has long recognized that the protection of sensitive customer information by\neither financial institutions or service providers is a significant consumer protection and safety and\nsoundness risk area.\n\nIn its response, DSC generally agreed with the recommendations, noting that it had already\nimplemented or considered many of the recommendations and will work with the FDIC\xe2\x80\x99s\ninteragency partners to enhance the FDIC supervisory programs for TSPs. Regarding the TSP\ninventory, DSC agreed that the FDIC would benefit from enhancing centralized collection of TSP\ndata. Further, DSC will assess its options for improving the accuracy and completeness of the\ninventory of TSP information and will vet the TSP inventory issues raised in this report with the\nother FFIEC agencies. DSC also agreed that its IT examination procedures would include an option\nfor a compliance review of BSCA and has already included such a review in the IT General Work\nProgram. Additionally, DSC will review the IT officer\xe2\x80\x99s questionnaire for appropriate inclusion of\nBSCA notification requirements.\n\nDSC indicated that the data integrity issues with ViSION were the result of an upgrade and\nconversion from the prior legacy system to ViSION. During 2005, DSC implemented a data\ncorrection process, and by the end of that year, had a high level of confidence in the database.\nNevertheless, DSC will review its TSP controls and consider opportunities for further enhancement.\nDSC will propose to develop a centralized collection system to add BSCA notifications to the\nViSION architecture. DSC will also include a self-assessment item for BSCA notification\nrequirements in the officer\xe2\x80\x99s questionnaire, evaluate and consider additional risk-ranking measures\nfor TSPs, and propose relevant findings to the FFIEC IT Subcommittee for consideration. DSC\nnoted that the current ViSION report capability allows it to report all TSPs for a given institution and\nall institutions serviced by a given TSP. While we agree that the capability exists, continuing\nproblems with uploading customer lists (which show the number of banks serviced by a TSP) into\nViSION have limited DSC\xe2\x80\x99s ability to generate accurate reports on TSPs. DSC is currently\naddressing this problem through its IT Committee. In our opinion, the steps DSC is taking are\nsufficient to meet the intent of our recommendation.\n\nWith respect to obtaining and completing EPRS information, DSC noted that a new risk-based\nexamination priority ranking program has been adopted by the FFIEC, and the TSP Handbook is\ncurrently being rewritten to include new procedures. According to DSC, upon completion of the TSP\nHandbook, supervisory decisions about TSPs will have sufficient support. Also, DSC will raise the\ntopic of including sensitive customer information in the risk-ranking process to the FFIEC IT\nSubcommittee for discussion and consideration. Further, DSC will forward the OIG\nrecommendation of assessing the merits of implementing an automated process for collecting,\nstoring, monitoring, and sharing TSP and specific risk-related information among the federal banking\nagencies to the FFIEC IT Subcommittee for discussion and consideration.\n\nA summary of management\xe2\x80\x99s response to the recommendations is in Appendix V. DSC\xe2\x80\x99s planned\nactions are responsive to our recommendations. Accordingly, the recommendations are resolved but\nwill remain open until we have determined the agreed-to corrective actions have been completed and\nare effective.\n\n\n                                                13\n\x0c                                                                                      APPENDIX I\n\n\n\n                       OBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe overall objective for our series of audits of the FDIC\xe2\x80\x99s oversight of TSPs is to assess the\nFDIC\xe2\x80\x99s examination coverage of TSPs and related efforts to protect sensitive customer\ninformation. For this audit, we assessed the FDIC\xe2\x80\x99s oversight process for identifying and\nmonitoring TSPs used by FDIC-supervised institutions and for prioritizing examination\ncoverage. We focused our review on the FDIC\xe2\x80\x99s processes for identifying, monitoring, and\nprioritizing examinations of TSPs in light of the potentially significant data security risks these\nfirms pose to consumers and the financial services industry. TSPs included in the MDPS\nprogram have been identified as entities that pose a systemic risk to the banking system and are\nexamined periodically. Therefore, we did not review the process pertaining to the MDPS\nprogram. In addition, we limited our review to an evaluation of the adequacy of established\npolicies and procedures and overall prioritization of TSPs and did not evaluate the performance\nof individual TSP examinations or other examinations that include TSP coverage.\n\nWe performed our audit from August 2005 through March 2006 in accordance with generally\naccepted government auditing standards. We reviewed selected TSP examinations and EPRSs\nthat had been completed during 2004 and 2005. Additionally, we reviewed and analyzed:\n\n   \xe2\x80\xa2   the BSCA and applicable guidance issued by the FDIC;\n   \xe2\x80\xa2   various FDIC IT Examination Procedures and applicable Regional Director\xe2\x80\x99s\n       Memoranda;\n   \xe2\x80\xa2   the FFIEC\xe2\x80\x99s four information technology examination handbooks entitled,\n       Management, Outsourcing Technology Services, Supervision of Technology Service\n       Providers, and Retail Payment Systems;\n   \xe2\x80\xa2   IT examination data in ViSION;\n   \xe2\x80\xa2   DSC\xe2\x80\x99s Security Incident Report listings;\n   \xe2\x80\xa2   the Multi-Regional Data Processing Servicers list;\n   \xe2\x80\xa2   the SFRO\xe2\x80\x99s Technology Service Provider Examination listing and scheduling process;\n   \xe2\x80\xa2   the SFRO\xe2\x80\x99s and Atlanta Regional Office\xe2\x80\x99s EPRSs and related procedures; and\n   \xe2\x80\xa2   information files maintained at the San Francisco and Atlanta Regional Offices.\n\nAdditionally, we interviewed DSC officials in Washington, D.C., and in the San Francisco and\nAtlanta Regional Offices.\n\nGovernment Performance and Results Act, Reliance on Computer-Processed Data,\nManagement Controls, Compliance with Laws and Regulations, and Fraud and Illegal Acts\n\nThe Government Performance and Results Act of 1993 directs federal agencies to develop a\nstrategic plan, align agency programs and activities with concrete missions and goals, manage\nand measure results, and design budgets that reflect strategic missions. In this audit, we\nreviewed the FDIC\xe2\x80\x99s 2005 Annual Performance Plan and the FDIC\xe2\x80\x99s Strategic Plan for 2005-\n2010. These plans do not specifically address the subject of our audit.\n\n\n\n\n                                              14\n\x0c                                                                                   APPENDIX I\n\n\n\nWe conducted tests to determine the reliability of computer-processed data obtained from the\nFDIC\xe2\x80\x99s ViSION system. Based on the review of information in ViSION, the data were not\ncurrent, accurate, and complete as discussed in the findings in this report.\n\nWe gained an understanding of relevant control activities by examining applicable policies and\nprocedures as presented in the FDIC Rules and Regulations, FDIC\xe2\x80\x99s Statement of Policy, DSC\xe2\x80\x99s\nRisk Management Manual of Examination Policies, FDIC\xe2\x80\x99s Case Manager Procedures Manual,\nExamination Documentation Modules, and Regional Directors Memoranda and by reviewing\navailable FFIEC and FDIC documentation related to TSP supervision and examination.\n\nRegarding compliance with laws and regulations, we gained an understanding of aspects of the\nFederal Deposit Insurance (FDI) Act and the requirements of the FDIC Rules and Regulations.\nAlso, we reviewed applicable sections of the BSCA. However, DSC documentation was not\nsufficient for us to verify institution compliance with the BSCA notice requirements (as\ndiscussed in this report). The scope of the audit did not encompass testing for fraud or illegal\nacts; nevertheless, we were alert for, but did not detect such activity.\n\nRegarding how banks manage their TSP relationships, we limited our work to gaining an\nunderstanding of the information examiners obtain during bank examinations. Also, we did not\ninclude offshore outsourcing of technology services in the scope of our audit. Future audit\ncoverage in this area will include detailed reviews of vendor management, TSP examinations,\noffshore outsourcing, and supervisory efforts that address compliance with laws and regulations\npertaining to safeguarding sensitive customer information.\n\n\n\n\n                                             15\n\x0c                                                                                APPENDIX II\n\n\n\n LAWS, REGULATIONS, AND GUIDANCE PERTAINING TO DATA SECURITY AT\n   FDIC-INSURED INSTITUTIONS AND RELATED PRIVACY REQUIREMENTS\n\nLaws                             Provisions\n12 United States Code (U.S.C.)   (A) General examination and regulatory authority. A service\n1464(d)(7)                       company or subsidiary that is owned in whole or in part, by a\nHome Owners\xe2\x80\x99 Loan Act            savings association shall be subject to examination and\n                                 regulation by the Director, OTS, to the same extent as that\n                                 savings association.\n                                 (B) Examination by other banking agencies. The Director\n                                 may authorize any other federal banking agency that\n                                 supervises any other owner of part of the service company or\n                                 subsidiary to perform an examination described in\n                                 subparagraph (A).\n                                 (D) Services performed by contract or otherwise.\n                                 Notwithstanding subparagraph (A), if a savings association,\n                                 a subsidiary thereof, or any savings and loan affiliate or\n                                 entity, as identified by Section 8(b)(9) of the FDI Act, that is\n                                 regularly examined or subject to examination by the\n                                 Director, causes to be performed for itself, by contract or\n                                 otherwise, any service authorized under this chapter or\n                                 applicable state law, whether on or off its premises, (i) such\n                                 performance shall be subject to regulation and examination\n                                 by the Director to the same extent as if such services were\n                                 being performed by the savings association on its own\n                                 premises; and (ii) the savings association shall notify the\n                                 Director of the existence of the service relationship not later\n                                 than 30 days after the date on which the contract is entered\n                                 or the date on which performance is initiated.\n12 U.S.C. 1867                   (a) Principal investor. A bank service company shall be\nBank Service Company Act         subject to examination and regulation by the appropriate\n                                 federal banking agency of its principal investor to the same\n                                 extent as its principal investor. The appropriate federal\n                                 banking agency of the principal shareholder or principal\n                                 member of such bank service company may authorize any\n                                 other federal banking agency that supervises any other\n                                 shareholder or member of the bank service company to make\n                                 such an examination.\n                                 (c) Services provided by contract or otherwise.\n                                 Notwithstanding section (a) above, whenever a bank that is\n                                 regularly examined by an appropriate Federal banking\n                                 agency, or any subsidiary or affiliate of such a bank that is\n                                 subject to examination by that agency, causes to be\n                                 performed for itself, by contract or otherwise, any services\n\n\n\n                                         16\n\x0c                                                                                APPENDIX II\n\n\n\n                                 authorized under this chapter, whether on or off its premises:\n                                 (1) such performance shall be subject to regulation and\n                                 examination by such agency to the same extent as if such\n                                 services were being performed by the bank itself on its own\n                                 premises, and (2) the bank shall notify such agency of the\n                                 existence of the service relationship within 30 days after\n                                 making such a service contract or the performance of the\n                                 service, whichever occurs first.\n15 U.S.C. 6801                   Protection of nonpublic personal information.\nGramm-Leach-Bliley Act           (a) Privacy obligation policy. It is the policy of the Congress\n                                 that each financial institution has an affirmative and\n                                 continuing obligation to respect the privacy of its customers\n                                 and to protect the security and confidentiality of those\n                                 customers\xe2\x80\x99 nonpublic personal information.\n                                 (b) Financial institutions\xe2\x80\x99 safeguards. In furtherance of the\n                                 policy in subsection (a) of this section, each agency or\n                                 authority described in section 6805(a) of this title shall\n                                 establish appropriate standards for financial institutions\n                                 subject to their jurisdiction relating to administrative,\n                                 technical, and physical safeguards: (1) to ensure the security\n                                 and confidentiality of customer records and information;\n                                 (2) to protect against any anticipated threats or hazards to the\n                                 security or integrity of such records; and (3) to protect\n                                 against unauthorized access to or use of such records or\n                                 information which could result in substantial harm or\n                                 inconvenience to any customer.\nRegulations\n12 Code of Federal Regulations   (a) Purpose. Part 332 governs the treatment of nonpublic\n(C.F.R.) Part 332                personal information about consumers by the financial\nPrivacy of Consumer Financial    institutions listed in paragraph (b) of this section. This part:\nInformation                         (1) Requires a financial institution to provide notice to\n                                 customers about its privacy policies and practices.\n                                    (2) Describes the conditions under which a financial\n                                 institution may disclose nonpublic personal information\n                                 about consumers to nonaffiliated third parties.\n                                    (3) Provides a method for consumers to prevent a\n                                 financial institution from disclosing that information to most\n                                 nonaffiliated third parties by \xe2\x80\x9copting out\xe2\x80\x9d of that disclosure,\n                                 subject to the exceptions in \xc2\xa7\xc2\xa7 332.13, 332.14, and 332.15.\n                                 (b) Scope. (1) Part 332 applies only to nonpublic personal\n                                 information about individuals who obtain financial products\n                                 or services primarily for personal, family, or household\n                                 purposes. This part does not apply to information about\n                                 companies or about individuals who obtain financial\n\n\n\n                                         17\n\x0c                                                                                 APPENDIX II\n\n\n\n                                    products or services for business, commercial, or agricultural\n                                    purposes. This part applies to the United States offices of\n                                    entities for which the FDIC has primary supervisory\n                                    authority.\nFair Credit Reporting Regulations   Interagency Proposed Rule implementing provisions of the\n12 C.F.R. Part 334                  Fair Credit Reporting Act (FCRA) that permit institutions to\n                                    communicate consumer information to their affiliates\n                                    without incurring the obligations of consumer reporting\n                                    agencies. The privacy rule does not modify, limit, or\n                                    supersede the operation of FCRA.\n12 C.F.R. Part 364, Standards for     (a) General standards. The Interagency Guidelines\nSafety and Soundness,               Establishing Standards prescribed pursuant to section 39 of\nAppendix B, Interagency             the FDI Act (12 U.S.C. 1831p--1), as set forth as\nGuidelines Establishing             Appendix A to this part, apply to all insured state\nInformation Security Standards      nonmember banks and to state-licensed insured branches of\n                                    foreign banks that are subject to the provisions of section 39\n                                    of the FDI Act.\n                                      (b) Interagency Guidelines Establishing Information\n                                    Security Standards. These guidelines prescribed pursuant to\n                                    section 39 of the Federal Deposit Insurance Act (12 U.S.C.\n                                    1831p--1), and sections 501 and 505(b) of the Gramm-\n                                    Leach-Bliley Act (15 U.S.C. 6801, 6805(b)), and with\n                                    respect to the proper disposal of consumer information\n                                    requirements pursuant to section 628 of the FCRA\n                                    (15 U.S.C. 1681w), as set forth in Appendix B to this part,\n                                    apply to all insured state nonmember banks, insured state\n                                    licensed branches of foreign banks, and any subsidiaries of\n                                    such entities (except brokers, dealers, persons providing\n                                    insurance, investment companies, and investment advisers).\nGuidance\nFIL-89-2004, FFIEC Information      The FFIEC has issued booklets with guidance on evaluating\nTechnology Examination              management and outsourcing technology services. The FIL\nHandbook                            states that \xe2\x80\x9coutsourcing of an activity does not relieve\n                                    management and the board of directors of their responsibility\n                                    to ensure the institution\xe2\x80\x99s data are processed in a secure\n                                    environment and to maintain data integrity.\xe2\x80\x9d\nFIL-27-2004, Guidance on            The FDIC alerted financial institutions to the increasing\nSafeguarding Customers Against      prevalence of e-mail and Internet-related fraudulent schemes\nE-Mail and Internet-Related         targeting financial institution customers. The guidance\nFraudulent Schemes                  provides financial institutions with background information\n                                    on these schemes and describes how institutions can assist in\n                                    protecting their customers.\n\n\n\n\n                                            18\n\x0c                                                                                 APPENDIX II\n\n\n\nFair and Accurate Credit            The OCC, FDIC, and OTS are adopting a final rule to\nTransactions (FACT) Act             implement section 216 of the FACT Act by amending the\nImplementation                      Interagency Guidelines Establishing Standards for\n                                    Safeguarding Customer Information. The final rule\n                                    generally requires each financial institution to develop,\n                                    implement, and maintain, as part of its existing information\n                                    security program, appropriate measures to properly dispose\n                                    of consumer information derived from consumer reports.\nInteragency Guidelines              Guidelines establishing standards for safeguarding customer\nEstablishing Standards for          information were revised to reference the security guidelines,\nSafeguarding Customer               implement Section 501(b) of GLBA, and require institutions\nInformation and Rescission of       to mandate appropriate security controls for contractual\nY2000 Standards for Safety and      service providers.\nSoundness\n66 Federal Register 8615\nFIL-64-2005, Guidance on How       The FDIC issued guidance to financial institutions\nFinancial Institutions Can Protect describing the practice of \xe2\x80\x9cpharming,\xe2\x80\x9d how it occurs, and\nAgainst Pharming Attacks           potential preventive approaches. Financial institutions\n                                   offering Internet banking should assess potential threats\n                                   posed by pharming attacks and protect Internet domain\n                                   names, which \xe2\x80\x93 if compromised \xe2\x80\x93 can heighten risks to the\n                                   institutions.\nFIL-49-99, Bank Service            Section 7(c)(2) of the Bank Service Company Act states that\nCompany Act                        any FDIC-supervised institution that has services performed\n                                   by a third-party \xe2\x80\x9cshall notify such agency of the existence of\n                                   the service relationship within 30 days after the making of\n                                   such service contract or the performance of the service,\n                                   whichever occurs first.\xe2\x80\x9d As defined in Section 3 of the Act,\n                                   these services include \xe2\x80\x9ccheck and deposit sorting and\n                                   posting; computation and posting of interest and other credits\n                                   and charges; preparation and mailing of checks, statements,\n                                   notices, and similar items; or any other clerical,\n                                   bookkeeping, accounting, statistical, or similar functions\n                                   performed for a depository institution.\xe2\x80\x9d\n\nFIL-50-2001, Bank Technology        The bulletin introduces three short documents containing\nBulletin: Technology                practical ideas for banks to consider when they engage in\nOutsourcing Information             technology outsourcing. The documents are for\n                                    informational purposes only and should not be considered\n                                    examination procedures or official guidance.\n\n\n\n\n                                            19\n\x0c                                                                                               APPENDIX III\n\n\n           SUMMARY OF FINANCIAL INSTITUTION AND TSP-RELATED\n               DATA SECURITY BREACHES REPORTED IN 2005\n\n                                                                                                 Number of\n  Date Made\n                           Institution Name                        Type of Breach                Consumers\n    Public\n                                                                                                  Affected\nFeb. 15, 2005    ChoicePoint                             Bogus accounts established by             145,000\n                                                         identity thieves\nFeb. 25, 2005    Bank of America                         Lost backup tape                         1,200,000\nFeb. 25, 2005    PayMaxx                                 Exposed online                            25,000\nApril 20, 2005 Ameritrade                                Lost backup tape                          200,000\nApril 28, 2005 Wachovia,                                 Dishonest insiders                        676,000\n               Bank of America,\n               PNC Financial Services Group, and\n               Commerce Bancorp\nMay 16, 2005     Westborough Bank                        Dishonest insider                           750\nJune 6, 2005     CitiFinancial                           Lost backup tapes                        3,900,000\nJune 16, 2005    CardSystems Solutions, Inc.             Hacking                                 40,000,000\nJune 29, 2005    Bank of America                         Stolen laptop                             18,000\nJuly 6, 2005     City National Bank                      Lost backup tapes                        Unknown\nAug. 30, 2005    J.P. Morgan                             Stolen laptop                            Unknown\nSept. 16, 2005   ChoicePoint                             ID thieves accessed; also misuse of        9,903\n                 (2nd notice, see Feb. 15 for 145,000)   IDs and passwords.\n\nSept. 17, 2005   North Fork Bank, NY                     Stolen laptop with mortgage data           9,000\n                 Bank of America                         Stolen laptop with information of      Not disclosed\nSept. 23, 2005\n                                                         Visa Buxx users (debit cards)\nSept. 28, 2005   RBC Dain Rauscher                       Illegitimate access to customer data 100+ customers'\n                                                         by former employee                       records\n                                                                                              compromised out\n                                                                                                of 300,000\nNov. 8, 2005     ChoicePoint                             Bogus accounts established by ID         17,000 in\n                                                         thieves                               addition to those\n                                                         Total affected now 172,000              noted earlier\n                                                         (See Feb. 15 & Sept. 16)\nNov. 9, 2005     TransUnion                              Stolen computer                            3,623\nNov. 11, 2005    Scottrade Troy Group                    Hacking                                  Unknown\nDec. 1, 2005     Firstrust Bank                          Stolen laptop                             100,000\nSource: Compiled by Privacy Rights Clearinghouse (www.privacyrights.org).\n\n\n\n\n                                                   20\n\x0cAppendix IV\n\x0c     APPENDIX IV\n\n\n\n\n22\n\x0c     APPENDIX IV\n\n\n\n\n23\n\x0c     APPENDIX IV\n\n\n\n\n24\n\x0c     APPENDIX IV\n\n\n\n\n25\n\x0c     APPENDIX IV\n\n\n\n\n26\n\x0c     APPENDIX IV\n\n\n\n\n27\n\x0c     APPENDIX IV\n\n\n\n\n28\n\x0c                                                                                                                                               APPENDIX V\n\n\n                                           MANAGEMENT RESPONSE TO RECOMMENDATIONS\n\nThis table presents the management response on the recommendations in our report and the status of the recommendations as of the date of report\nissuance.\n                                                                                                                                                 Open\n                                                                                                                                         a\n Rec.                                                                                  Expected              Monetary         Resolved:           or\nNumber               Corrective Action: Taken or Planned/Status                     Completion Date          Benefits         Yes or No         Closedb\n              DSC will assess its options for improving the accuracy and\n      1       completeness of the TSP inventory information and will vet             March 30, 2007             N/A               Yes            Open\n              the issues with the other FFIEC agencies.\n              DSC will review the IT Officer\xe2\x80\x99s Questionnaire for\n      2       appropriate inclusion of BSCA notification requirements.               March 30, 2007             N/A               Yes            Open\n              DSC will propose to the appropriate FDIC committees that\n      3       the FDIC develop a centralized collection system to add                March 30, 2007             N/A               Yes            Open\n              BSCA notifications to the ViSION architecture.\n              DSC will review the IT Officer\xe2\x80\x99s Questionnaire and include\n      4       a self-assessment item for BSCA notification requirements              March 30, 2007             N/A               Yes            Open\n              where appropriate. Additionally, DSC will evaluate and\n              consider additional risk-ranking measures for TSPs and will\n              propose any relevant findings to the FFIEC IT\n              Subcommittee for consideration. Also, DSC will review\n              current TSP controls and consider the opportunity for\n              further enhancement.\n              Supplemental guidance has been issued by the FFIEC and\n              the FDIC. DSC will raise the topic of including sensitive            September 30, 2006           N/A               Yes            Open\n      5       customer information in the risk-ranking method to the\n              FFIEC IT Subcommittee for discussion and consideration in\n              the risk-based examination priority ranking program.\n              DSC will raise the issue of TSP processing of sensitive\n      6       customer information with the FFIEC IT Subcommittee for              September 30, 2006           N/A               Yes            Open\n              interagency review and consideration.\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation, and the planned corrective action is consistent with the recommendation.\n               (2) Management does not concur with the recommendation, but planned alternative action is acceptable to the OIG.\n               (3) Management agrees to the OIG monetary benefits, or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long\n                   as management provides an amount.\nb\n    Once the OIG determines that the agreed-upon corrective actions have been completed and are effective, the recommendation can be closed.\n\n\n\n                                                      29\n\x0c"